Risk-Based Audit Approach Explained: Methodology & Application

Your auditor spent 8 days testing your AED 12M inventory but only 2 hours on your AED 15M bank balance—why this massive difference in effort when the bank balance is actually larger, and how do auditors decide what to focus on versus what to test lightly? Risk-based auditing is the fundamental methodology (required by ISA 315) where auditors assess risk in each financial statement area and allocate audit effort proportionally—but many UAE business owners don't understand how the audit risk model works (Audit Risk = Inherent Risk × Control Risk × Detection Risk), why certain accounts like revenue and inventory receive intense scrutiny while others like cash get minimal testing, and how this risk-based approach directly impacts your audit fees and timeline.

With 37 years conducting risk-based audits for 28,000+ UAE businesses across every industry (trading, manufacturing, services, real estate, logistics), Farahat & Co's audit methodology systematically identifies where misstatements are most likely to occur and focuses our effort there—ensuring efficient audits that detect material errors without wasting time on low-risk areas. Our risk assessment experience across UAE's unique business environment (high related-party activity, complex free zone structures, rapid growth companies) means we know exactly where to look.

This comprehensive risk-based audit guide explains:

• The audit risk model formula: How inherent, control, and detection risk multiply together
• Inherent risk assessment: Why inventory and revenue are "inherently" higher risk than cash
• Control risk evaluation: How strong controls reduce audit testing (and weak controls increase it)
• Detection risk management: How auditors adjust procedures to keep overall audit risk acceptably low
• Practical UAE examples: Risk ratings for common accounts (receivables, payables, inventory, revenue)
• Impact on audit scope: Why high-risk areas get 10× more testing than low-risk areas
• Impact on audit fees: How risk assessment affects your audit cost (+40% for high-risk businesses)
• Risk response strategies: What "increased substantive testing" actually means in practice

Whether you're a DMCC trading company wondering why your auditor spent a week on revenue testing, a manufacturing business trying to understand why inventory count is so critical, or a CFO wanting to reduce audit fees by improving controls, this expert guide—based on thousands of risk assessments—demystifies how auditors think and work.

---

The Audit Risk Model: Foundation of Modern Auditing

The Formula Explained

ISA 315 Audit Risk Model:

Audit Risk = Inherent Risk × Control Risk × Detection Risk

Target: Keep Audit Risk ≤ 5% (acceptable low level)

What Each Component Means:

Inherent Risk (IR):

• Risk of material misstatement BEFORE considering internal controls
• "How likely is this account to have errors naturally?"
• Based on nature of transactions, complexity, judgment required

Control Risk (CR):

• Risk that internal controls WON'T prevent or detect material misstatements
• "Will the company's controls catch errors?"
• Based on design and operating effectiveness of controls

Detection Risk (DR):

• Risk that auditor's procedures WON'T detect material misstatements
• "How much testing must auditor do to catch errors?"
• This is what auditor CONTROLS through extent of testing

---

How the Formula Works (Practical Example)

Example 1: High-Risk Account (Inventory)

Trading Company - AED 8M Inventory:

Step 1: Assess Inherent Risk

• Complex inventory (multiple SKUs, fast-moving)
• Valuation requires judgment (obsolescence)
• Physical count required
• Cut-off timing critical
• Inherent Risk: 60% (HIGH)

Step 2: Assess Control Risk

• No perpetual inventory system (only annual count)
• No cycle counting program
• Weak controls over receiving/shipping
• Control Risk: 70% (HIGH)

Step 3: Calculate Required Detection Risk

Formula: Audit Risk = IR × CR × DR

Target Audit Risk: 5% (acceptable)

Solve for DR:

• 5% = 60% × 70% × DR
• 5% = 42% × DR
• DR = 5% ÷ 42% = 12% (VERY LOW)

What This Means:

• Auditor must keep detection risk at only 12%
• Requires EXTENSIVE testing (88% confidence needed from audit procedures)
• Heavy audit work: Full inventory count observation, detailed valuation testing, extensive cut-off testing

---

Example 2: Low-Risk Account (Cash in Bank)

Same Trading Company - AED 15M Cash:

Step 1: Assess Inherent Risk

• Simple transactions (deposits, withdrawals)
• Easy to verify (bank statements)
• Minimal judgment required
• Inherent Risk: 10% (LOW)

Step 2: Assess Control Risk

• Strong bank reconciliation process
• Regular reconciliations (monthly)
• Segregation of duties (different staff reconcile vs. handle cash)
• Control Risk: 20% (LOW)

Step 3: Calculate Required Detection Risk

Target Audit Risk: 5% (acceptable)

Solve for DR:

• 5% = 10% × 20% × DR
• 5% = 2% × DR
• DR = 5% ÷ 2% = 250% (Can accept very high detection risk)

What This Means:

• Detection risk can be very high
• Minimal audit testing required
• Light audit work: Bank confirmation, review reconciliation, done in 2 hours

---

Why Auditor Spent 8 Days on AED 8M Inventory vs. 2 Hours on AED 15M Cash:

Scroll to see all columns →

Answer: The account with higher risk (inventory) gets 32× more audit time despite being a smaller balance!

---

Inherent Risk Assessment: What Makes Accounts "Risky"?

High Inherent Risk Factors

1. Complexity

• Complex calculations or judgments
• Multiple steps in transaction processing
• Technical accounting standards (IFRS 15, IFRS 16, IAS 36)

Example: Revenue recognition for long-term construction contracts (IFRS 15)

• Inherent Risk: HIGH
• Requires judgment (% completion estimation, variable consideration)

2. Susceptibility to Fraud

• Easy to manipulate
• Management pressure to achieve targets
• High cash involvement

Example: Cash sales in retail business

• Inherent Risk: MEDIUM-HIGH
• Risk of unrecorded sales, employee theft

3. Valuation Uncertainty

• Requires estimates or assumptions
• Market values fluctuate
• No objective prices

Example: Investment property valuation (IAS 40)

• Inherent Risk: HIGH
• Relies on appraiser estimates, market assumptions

4. Volume of Transactions

• High volume = more opportunities for errors
• Manual processing increases risk

Example: Trading company with 10,000 purchases annually

• Inherent Risk: MEDIUM-HIGH
• Volume creates error opportunities

5. Change

• New systems, new business lines, new regulations
• Unfamiliar territory = higher error risk

Example: Company implementing new ERP system mid-year

• Inherent Risk: HIGH
• Conversion errors, learning curve

---

Inherent Risk Ratings: Common UAE Accounts

Trading Company Example:

Scroll to see all columns →

Real Estate Company Example:

Scroll to see all columns →

---

Control Risk Assessment: How Controls Reduce Risk

What Are Internal Controls?

COSO Definition: Processes designed to provide reasonable assurance regarding:

• Reliability of financial reporting
• Effectiveness of operations
• Compliance with laws

Key Controls for Financial Reporting:

• Segregation of duties
• Authorization and approval
• Reconciliations
• Physical controls
• IT general controls

---

Strong Controls = Lower Control Risk = Less Audit Testing

Example: Accounts Payable Processing

Company A: Weak Controls

Process:

• Accounts Payable clerk can:
  • Create vendors
  • Enter invoices
  • Approve payments
  • Print checks
  • Sign checks
• No segregation of duties
• No independent review

Control Risk Assessment: 80% (HIGH)

Auditor Response:

• Cannot rely on controls
• Must test payments extensively
• Sample size: 80 transactions (out of 2,000 total)
• Audit time: 12 hours

---

Company B: Strong Controls

Process:

• Purchasing Dept creates purchase orders
• Receiving Dept confirms receipt (3-way match)
• Accounts Payable enters invoices (matches to PO and receipt)
• Manager approves payments > AED 10K
• Treasurer signs checks (separate from AP)
• Monthly vendor reconciliations

Control Risk Assessment: 25% (LOW)

Auditor Response:

• Can rely on controls (after testing control design/operation)
• Reduced substantive testing
• Sample size: 25 transactions (out of 2,000 total)
• Audit time: 4 hours

Result: Company B saves 8 hours of audit time (67% reduction) due to strong controls

---

Controls Testing: How Auditors Evaluate Your Controls

Two-Stage Process:

Stage 1: Test of Design

• Is the control designed effectively?
• Would it prevent/detect material misstatements if operating properly?

Example:

• Control: Manager approves all purchase orders > AED 20K
• Design effective? Yes (appropriate threshold, right level of approval)

Stage 2: Test of Operating Effectiveness

• Is the control actually working throughout the year?
• Auditor selects sample and verifies control operated

Example:

• Auditor selects 25 POs > AED 20K
• Checks for manager approval signature
• Result: 24/25 approved (96%) → Control operating effectively
• Note: 1 exception is acceptable (sample error)

If Both Tests Pass:

• Auditor can assess Control Risk as LOW
• Reduces substantive testing needed
• Lower audit fees

If Tests Fail:

• Control Risk assessed as HIGH
• Increased substantive testing
• Higher audit fees

---

Detection Risk Management: What Auditors Control

Adjusting Audit Procedures Based on Risk

Auditors manipulate Detection Risk through:

1. Nature of procedures (type of testing)
2. Timing of procedures (when testing occurs)
3. Extent of procedures (how much testing)

---

Audit Procedure Adjustments

High Risk (Low Detection Risk Needed):

Nature:

• Substantive procedures (detailed testing of transactions/balances)
• Physical inspection
• External confirmations
• Detailed analytical procedures

Timing:

• Year-end testing (not interim)
• Surprise procedures (unannounced inventory counts)
• Extended period coverage

Extent:

• Large sample sizes (80-100 items)
• Test 100% of high-value items
• Multiple procedures per assertion

---

Low Risk (High Detection Risk Acceptable):

Nature:

• Analytical procedures (trend analysis, ratio analysis)
• Inquiry and observation
• Review of reconciliations

Timing:

• Interim testing (before year-end)
• Standard scheduling

Extent:

• Small sample sizes (15-25 items)
• Test only unusual items
• Single procedure may suffice

---

Real-World UAE Risk Assessment Examples

Example 1: DMCC Trading Company

Company Profile:

• Industry: Electronics trading
• Revenue: AED 25M
• Employees: 15
• Financial year: Dec 31, 2024

Auditor's Risk Assessment:

Revenue (AED 25M):

• Inherent Risk: HIGH (70%)

  • Cut-off: Sales shipped in December vs. January (timing)
  • Related party sales: AED 8M to sister company (pricing risk)
  • Multiple currencies (FX risk)

• Control Risk: MEDIUM-HIGH (60%)

  • Manual invoicing (no automated system)
  • Sales team prepares own invoices (no independent review)
  • Some related party approval documentation missing

• Required Detection Risk: 5% ÷ (70% × 60%) = 12% (VERY LOW)

Auditor's Response:

• Test 85 sales transactions (sample from population of 2,400)
• Test cut-off: Review last 50 sales in December + first 50 in January
• Related party sales: Test ALL AED 8M (100% coverage)
• Compare related party pricing to third-party sales
• Audit time: 20 hours

---

Inventory (AED 4.5M):

• Inherent Risk: VERY HIGH (80%)

  • Fast-moving electronics (obsolescence risk)
  • No perpetual system (only annual count)
  • Tech products (rapid price changes)

• Control Risk: HIGH (75%)

  • No cycle counting
  • Weak warehouse controls (no FIFO tracking)
  • No regular obsolescence reviews

• Required Detection Risk: 5% ÷ (80% × 75%) = 8% (EXTREMELY LOW)

Auditor's Response:

• Attend full physical inventory count (8 hours on-site)
• Test count accuracy (recount 150 items personally)
• Test valuation: Price test 100 items to purchase invoices
• Obsolescence review: Age analysis + discussions with management
• Audit time: 32 hours

---

Cash (AED 12M):

• Inherent Risk: LOW (15%)

  • Simple transactions
  • Bank statements available

• Control Risk: LOW (25%)

  • Monthly bank reconciliations (performed by accountant)
  • Reviewed by CFO
  • Strong segregation (different staff handle cash vs. reconcile)

• Required Detection Risk: 5% ÷ (15% × 25%) = 133% (VERY HIGH)

Auditor's Response:

• Send bank confirmation
• Review year-end bank reconciliation
• Test a few reconciling items
• Audit time: 2 hours

---

Total Audit Time Allocation:

Scroll to see all columns →

Observation:

• 40% of audit time on inventory (18% of total assets)
• 2.5% of audit time on cash (48% of total assets)
• Risk-based allocation, NOT balance-based

---

Impact on Audit Fees

How Risk Assessment Affects Your Audit Cost

Higher Risk = More Testing = Higher Fees

Example Cost Comparison:

Company A: Low-Risk Profile

• Stable business (10 years operating)
• Strong internal controls
• Clean prior year audit (zero adjustments)
• Simple transactions
• Assessed Overall Risk: LOW

Audit Fee: AED 22,000 (80 hours × AED 275/hr)

---

Company B: High-Risk Profile

• New business (2nd year audit)
• Weak internal controls
• Prior year had 8 material adjustments
• Complex transactions (multiple currencies, related parties)
• Assessed Overall Risk: HIGH

Audit Fee: AED 36,000 (130 hours × AED 275/hr)

Difference: +64% higher fee for high-risk company

---

How to Reduce Your Audit Fees Through Risk Reduction

Controllable Risk Factors:

1. Improve Internal Controls

• Segregation of duties
• Regular reconciliations
• Authorization procedures
• Impact: Reduces control risk by 30-50%
• Fee savings: 15-25%

2. Organize Records

• Monthly bookkeeping (not year-end catchup)
• Complete documentation
• Reconcile accounts monthly
• Impact: Reduces detection risk needed
• Fee savings: 10-15%

3. Fix Prior Year Issues

• Implement auditor's recommendations
• Correct recurring findings
• Impact: Demonstrates lower inherent risk
• Fee savings: 10-20%

4. Engage Auditor Early

• 60-90 days before year-end
• Interim testing possible (spreads work, reduces year-end pressure)
• Impact: More efficient audit
• Fee savings: 5-10%

Combined Potential Savings: 30-50% fee reduction from Year 1 to Year 3

---

Frequently Asked Questions

1. My auditor says my business is "high risk" and quoted 50% higher fees than my competitor's auditor. Is this fair?

Yes, if your business genuinely has higher risk factors. But verify the risk assessment is reasonable.

Legitimate High-Risk Factors:

• First-time audit (no prior year comparison)
• Weak internal controls
• Complex transactions (related parties, multiple entities, technical revenue recognition)
• Prior year material adjustments
• Rapid growth (100%+ revenue increase)
• Industry inherently high-risk (e.g., crypto, fintech)

Questions to Ask Your Auditor:

1. "What specific risk factors are driving the higher fee?"
2. "Can you show me the risk assessment breakdown?"
3. "What can we do to reduce risk and fees for next year?"

Red Flags (Potentially Unreasonable):

• Auditor cannot explain specific risks
• Quotes higher fee just because you can "afford it"
• Doesn't offer suggestions for risk reduction

Competitor Comparison Issues:

• Competitor may have lower actual risk (better controls, simpler business)
• Competitor's auditor may have under-priced (and will find issues during audit → scope creep)
• Some auditors quote low to win work, then bill extras later

Our Recommendation:

• Ask auditor to document risk assessment
• Request suggestions for risk reduction
• For Year 2+, expect 20-30% fee reduction as risks decrease

---

2. Can I negotiate to skip high-risk areas to reduce audit fees?

No. Auditor must test high-risk areas—that's the entire point of risk-based auditing.

Why Not:

• ISA 315 requires auditors to respond to assessed risks
• High-risk = where material misstatements most likely
• Skipping high-risk areas = inadequate audit
• Could result in:
  • Qualified audit opinion
  • Auditor professional liability
  • Regulatory action

What You CAN Negotiate:

** Reduce Risk (Then Auditor Tests Less):**

• Improve controls → Lower control risk → Less testing
• Simplify transactions → Lower inherent risk → Less testing
• Organize records → Faster audit → Lower hours

** Timing:**

• Spread work over year (interim + year-end) vs. all at year-end
• Doesn't reduce total hours, but spreads cost

** Staffing:**

• Use junior staff for low-risk areas (lower hourly rate)
• Senior staff only for high-risk areas

** Cannot Negotiate:**

• Skipping required procedures
• Reducing sample sizes below professional standards
• Eliminating testing of material high-risk areas

---

3. Why is my auditor testing last year's items (2023) during my 2024 audit?

Opening balances testing—required for first-time audits and whenever there's doubt about prior year.

When Prior Year Testing Required:

Scenario 1: First-Time Audit

• This is your first audit ever (or first audit with this auditor)
• Auditor must verify opening balances (Jan 1, 2024 if auditing 2024)
• Why: Current year profit depends on accurate opening balances
  • Example: Opening inventory wrong → COGS wrong → Profit wrong

Testing Approach:

• Review prior year financials (if any)
• Test opening receivables (verify subsequently collected in 2024)
• Test opening payables (verify subsequently paid in 2024)
• Test opening inventory (reconcile to physical count + purchases/sales)

Scenario 2: Prior Auditor Qualified Opinion

• Previous auditor couldn't verify certain balances
• New auditor must resolve before relying on opening balances

Scenario 3: Red Flags in Prior Year

• Significant unexplained changes
• Prior year adjustments
• Changes in accounting policies

This is Normal and Required:

• Not auditor being excessive
• ISA 510 requirement
• Usually adds 15-25% to first year audit fee
• Year 2 onwards: Much less prior year work needed

---

Conclusion

Risk-based auditing is the cornerstone of modern audit methodology, requiring auditors to assess inherent and control risk for each financial statement area and adjust detection risk (audit testing) accordingly to keep overall audit risk acceptably low (typically ≤ 5%). Understanding how the audit risk model works (Audit Risk = Inherent Risk × Control Risk × Detection Risk) explains why your auditor spends 8 days testing AED 8M inventory but only 2 hours on AED 15M cash—risk drives effort, not account size. Companies with strong internal controls, simple transactions, and clean prior audits enjoy 30-50% lower audit fees than high-risk businesses because lower control and inherent risk allows auditors to accept higher detection risk (less testing).

Your Risk-Based Audit Understanding Framework:

Risk determines audit effort (not account balance size) Three risk types: Inherent (nature of account), Control (your internal controls), Detection (auditor's testing) High-risk accounts: Revenue, inventory, estimates, related parties (get 60-80% of audit time) Low-risk accounts: Cash, share capital, simple assets (get minimal audit time) Control quality matters: Strong controls = 20-40% fee reduction You control some risk factors: Better controls, organized records, fix prior issues Cannot negotiate away risk: Must test high-risk areas per professional standards

At Farahat & Co, our 37 years of risk-based audit experience means:

• Efficient risk assessment (we know UAE businesses and where risks typically exist)
• Appropriate risk response (not over-auditing low-risk areas, not under-auditing high-risk)
• Clear communication (we explain risk assessment and why we're testing what we test)
• Control recommendations (we help you reduce risk for future year fee savings)
• Fair pricing (risk-based fees, not arbitrary markups)

Questions about your audit risk assessment or how to reduce audit fees? Contact our team for a consultation. We'll review your risk profile and provide specific recommendations for risk reduction and audit efficiency.